[Ach] Current OpenSSH settings (Was: "*poke* Is this alive, Jim?")

[Aaron Zauner]

Related to the original post: there's been discussion on the changes
suggested by ilf.

Please contribute over here:
https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/133

BTW: I also have my doubts about the state of this project at the time.
Very few people have been contributing and reviewing suggested changes over
the past two-or-more years. Unfortunately this is not a one-off project -
it needs maintenance and to be checked regularly for errors, new findings
or possible corrections. Unfortunately I don't see that happening at any
point in the future. I've voiced similar concern more than two years ago
already as people lost interest. I'm still going through GitHub PRs from
time to time, but am mostly relying on configuration settings shipped by
the upstream project or distribution, hand-picked settings and have been
using the Mozilla cipherstrings (
https://wiki.mozilla.org/Security/Server_Side_TLS) for TLS services for a
long time, to be honest.

Aaron / azet

On Mon, Nov 28, 2016 at 12:21 PM, L. Aaron Kaplan <kaplan at cert.at> wrote:

>
> > On 27 Nov 2016, at 21:10, ilf <ilf at zeromail.org> wrote:
> >
> > I think the interwebs really needs a project like BetterCrypto.
> >
>
> Thanks :)
>
> > Unfortunately, this project seems pretty dead to me.
> >
> > 1. The website https://bettercrypto.org/ has 8 posts: 1 in 2013, 5 in
> 2014, and 2 in 2015. There have been no updates in over 2.5 years.
> >
>
> Well, it's not dead. I think there is simply a pause with the authors .
> One main contributor was gone now for nearly half a year.
>
> But, we definitely do intend to continue and adapt the guide the the
> lastest developments.
> This guide is also quite important for the authors for their own work
> (it's easy to look up current best practices).
> So, I would not worry about the future.
> A pause is a pause and not automatically death :)
>
> > 2. There have been a few updates in the repository, but only 4 in the
> last 6 months: https://git.bettercrypto.org/ach-master.git/shortlog
> >
> > 3. The XMPP GroupChat advertised on https://bettercrypto.org/contribute/
> is empty.
> >
> > 4. This list has about 1 thread per month. In August, one of those
> treads was a complaint about not receiving feedback.
> >
> > So: Is this thing still alive?
>
> Yes.
>
> >
> > If yes: Let's show some enthusiasm, update the website, submit a
> lightnening talk at 33C3, debate, and work!
> >
> So, guess what - a lightning talk at CCC is definitely in the making :)
> Me and Pepi will be there.
>
> > If no: Maybe it's time to shut this down? We're talking about crypto
> recommendations here, that stuff gets old quickly (bitrot, technical debt).
> >
> > What do you think?
> >
> > My original question was: I have written a recommendation for ssh_condig
> and sshd_config for OpenSSH 7.3. Where do I submit this? GitHub? THis list?
> https://git.bettercrypto.org/ach-master.git?
> >
> Github pull request.
> Discussions are on this list.
>
> Best,
> a.
>
>
>
> --
> //  CERT Austria
> //  L. Aaron Kaplan <kaplan at cert.at>
> //  T: +43 1 505 64 16 78
> //  http://www.cert.at
> //  Eine Initiative der NIC.at Internet Verwaltungs- und Betriebs GmbH
> //  http://www.nic.at/ - Firmenbuchnummer 172568b, LG Salzburg
>
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20170423/edf32d73/attachment.html>